When a Cisco Adaptive Security Appliance (ASA) is initially configured,
it has a default security policy where everyone on the inside can get out, and
nobody from the outside can get in. If your site requires a different security
policy, you can allow outside users to connect to your web server through the
ASA.

Once you establish basic connectivity through the Cisco ASA, you can
make configuration changes to the firewall. Make sure any configuration changes
you make to the ASA are in compliance with your site security policy.

The information in this document is based on a Cisco Adaptive Security
Appliance (ASA) that runs version 8.3 and later.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

In this network, Host A is the web server with an internal address of
10.2.1.5. The web server is assigned an external (translated) address of
192.168.202.5. Internet users must point to 192.168.202.5 in order to access
the web server. The DNS entry for your web server needs to be that address. No
other connections are allowed from the Internet.

Note: The IP addressing schemes used in this configuration are not legally
routable on the Internet. They are
RFC
1918 addresses which have been used in a lab environment.

The security appliance connects the same network on its inside and
outside interfaces. Because the firewall is not a routed hop, you can easily
introduce a transparent firewall to an existing network. IP re-addressing is
not necessary. IPv4 traffic is allowed through the transparent firewall
automatically from a higher security interface to a lower security interface,
without an access list. Address Resolution Protocols (ARPs) are allowed through
the transparent firewall in both directions without an access list. ARP traffic
can be controlled by ARP inspection. For Layer 3 traffic that travels from a
low to a high security interface, an extended access list is required.

Note: The transparent mode security appliance does not pass Cisco Discovery
Protocol (CDP) packets or IPv6 packets, or any packets that do not have a valid
EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS
packets. An exception is made for bridge protocol data units (BPDUs), which are
supported.

In router mode, some types of traffic cannot pass through the security
appliance even if you allow it in an access list. The transparent firewall,
however, can allow almost any traffic through using either an extended access
list (for IP traffic) or an EtherType access list (for non-IP traffic).

For example, you can establish routing protocol adjacencies through a
transparent firewall. You can allow Open Shortest Path First (OSPF), Routing
Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP),
or Border Gateway Protocol (BGP) traffic through based on an extended access
list. Similarly, protocols such as Hot Standby Router Protocol (HSRP) or
Virtual Router Redundancy Protocol (VRRP) can pass through the security
appliance.

Non-IP traffic (for example, AppleTalk, IPX, BPDUs, and MPLS) can be
configured to go through using an EtherType access list.

For features that are not directly supported on the transparent
firewall, you can allow traffic to pass through so that upstream and downstream
routers can support the functionality. For example, by using an extended access
list, you can allow Dynamic Host Configuration Protocol (DHCP) traffic (instead
of the unsupported DHCP relay feature) or multicast traffic such as that
created by IP/TV.

Cisco Security Appliance is preconfigured to auto-detect the speed
and duplex settings on an interface. However, several situations exist that can
cause the auto-negotiation process to fail. This results in either speed or
duplex mismatches (and performance issues). For mission-critical network
infrastructure, Cisco manually hardcodes the speed and duplex on each interface
so there is no chance for error. These devices generally do not move around.
Therefore, if you configure them properly, you should not need to change
them.

In some situations, hardcoding the speed and duplex settings leads
to the generation of errors. Therefore, you need to configure the interface to
the default setting of auto-detect mode as this example shows:

In order to re-enable proxy ARP, enter this command in global
configuration mode:

ciscoasa(config)#no sysopt noproxyarp outside

When a host sends IP traffic to another device on the same Ethernet
network, the host needs to know the MAC address of the device. ARP is a Layer 2
protocol that resolves an IP address to a MAC address. A host sends an ARP
request and asks "Who is this IP address?". The device that owns the IP address
replies, "I own that IP address; here is my MAC address."

Proxy ARP allows the security appliance to reply to an ARP request
on behalf of hosts behind it. It does this by replying to ARP requests for the
static mapped addresses of those hosts. The security appliance responds to the
request with its own MAC address, then forwards the IP packets to the
appropriate inside host.

For example, in the diagram in this
document, when an ARP request is made for the global IP address of the web
server, 192.168.202.5, the security appliance responds with its own MAC
address. If proxy ARP is not enabled in this situation, hosts on the outside
network of the security appliance cannot reach the web server by issuing an ARP
request for the address 192.168.202.5. Refer to the command reference for more
information about the
sysopt
command.

If everything appears to be correct, and users still cannot access
the web server, open a case with
Cisco
Technical Support.

A few hosts cannot connect to the Internet and the Error
Message - %ASA-4-407001: Deny traffic for local-host
interface_name:inside_address, license limit of number exceeded
error message is received in the syslog. How is this error resolved?

This error message is received when the number of users exceeds the
user limit of the license used. In order to resolve this error, upgrade the
license to a higher number of users. This can be 50, 100, or unlimited user
license as required.